Password Guidance

Recommendations

Info

Page 8 Password Guidance Simplifying Your Approach Tip 4: Understand the limitations of machinegenerated passwords Machine-generated passwords eliminate those passwords that would be simple for an attacker to guess. They require little effort from the user to create, and, depending on the generation scheme, can produce passwords that are fairly easy to remember. The main advantage of machine-generated schemes is that they eliminate those passwords that would be simple for an attacker to guess. They also deliver a known level of ‘randomness’ so it’s possible to calculate the time it would take to crack the password using a brute-force attack. Compared to user-generated schemes, there is no need to use blacklisting, and user training should be simpler. They also require little effort from the user for password creation. Some machine generation schemes can produce passwords which are very difficult for people to remember. This increases both the demand on helpdesk for resets, and also the likelihood of insecure storage. They are not recommended. Instead, use a generation scheme designed for high memorability (such as passphrases, 4 random dictionary words or CVC-CVC-CVC 4 style passwords). Ideally, you should give users a choice of passwords, so they can select the one they find the most memorable. Technical controls Technical controls such as account lockout, throttling or protective monitoring are still relevant when using machine-generated passwords. In summary Choose a scheme that produces passwords that are easier to remember. Offer a choice of passwords, so users can select one they find memorable. As with user-generated passwords, tell users that work passwords protect important assets; they should never reuse passwords between work and home. 4 Consonant-vowel-consonant constructions
Password Guidance Simplifying Your Approach Page 9 Tip 5: Prioritise administrator and remote user accounts Administrator accounts have highly privileged access to systems and services. Compromise of these accounts is a threat to the wider system, and therefore especially attractive to attackers. Ensure that robust measures are in place to protect administrator accounts. Administrator accounts should not be used for high risk or dayto-day user activities, such as accessing external email or browsing the Internet. Administrators should also have ‘standard’ user accounts for normal business use (with different passwords). Remote users Remote users who require remote login access, which can include the use of VPNs, email/webmail and other forms of access to internal systems, should be required to provide extra evidence (such as a token). This can form part of your two factor authentication policy for all remote accounts. In summary Give administrators, remote users and mobile devices extra protection. Administrators must use different passwords for their administrative and non-administrative accounts. Do not routinely grant administrator privileges to standard users. Consider implementing two factor authentication for all remote accounts. Make sure that absolutely no default administrator passwords are used.
Page 1 and 2: Simplifying Your Approach Password
Page 3 and 4: Password Guidance Simplifying Your
Page 7: Password Guidance Simplifying Your
Page 13: Password Guidance Simplifying Your

Password Guidance

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?